naming convention of email addresses/accounts

There seems to be some confusion about the naming convention of email addresses and account names in cpanel and one situation today made me think.

Scenario:

user account is created with the username Steven and the domain name steventools.com
User logs in and created an email account Steven. Cpanel does not come up with an error message even though the main account is already called Steven.
When sending an email to Steven@steventools.com the email actually gets to the newly created account and not the main account.
So what would be the email address for that main account? Would it be steven@hostingserver.com ? And how would the pop and smtp login names for both accounts be?
Anyone has more insight on this?

I did some testing and this is actually very scary!
If the account name is the name of one of the planned email addresses then this address will receive for both.
In our example an email sent to steven@hostingserver.com and steven@stevenstools.com would end up in the same mailbox. But here is the problem. You can send all messages to steven@stevenstools.com to blackhole or fail them but you cannot do the same with steven@hostingserver.com!!!!!!
This means that spamers can fill up these mailboxes and our harddrives! This is a security problem and needs to be addressed!
On top the quota for that main account cannot be set so can you imagine that this account can use up all of the customers quota by spam?????
So I suggest that the username of an account should never be that of an email address that is later to be used.
Cpanel needs to address this and find a way to change this and protect the main account inbox!